Volg ICTI

No More Ransom: the best anti-ransomware available

| Tijs Hofmans | Security

No More Ransom is both the name and the endgoal for a cooperation between the Dutch police and several security companies like McAfee and Kaspersky. The project has been running for more than a year now, and is becoming quite successful in fighting ransomware – but is it enough to fight the currently so devastating flood of ransomware?

No More Ransom was founded in July 2016 as a cooperation between both the public and private sector. With the push of a symbolic button, the website www.nomoreransom.org went live with prevention advice and free tools to remove several types of ransomware. Now, more than a year after its launch, the project is growing in numbers. The amount of decryption tools is on the rise, as is the number of visitors to the site, the number of participating partners, and the victims that benefit.

Free tools

No More Ransom offers free tools to victims of ransomware. When hit by encrypting malware, victims can upload a sample of an encrypted file to nomoreransom.org to see if a tool is available.

The tools are built by the participating security companies. Sometimes a specific tool is developed for a specific malware, but a few companies such as Kaspersky have built complete removal kits that are periodically updated when new decryption methods are discovered. This is a good initiative to stop the spread of the more advanced ransomware that we have seen since 2015.

Double approach

The way these tools are built is twofold. On the one hand, companies study new forms of ransomware to find flaws in the code and see if these flaws can be exploited to make decryption software. One caveat is that ransomware creators often keep a close eye on developments and can fix the bugs in their code, rendering a decryptor possibly useless.

Decryption keys

There’s another way to make decryptors, and that’s the one where the police comes into play. When investigators catch ransomware ceators, servers are often confiscated – including the decryption keys for the distributed ransomware (one of the companies helping the police in this way is Microsoft, described in Dutch here). These keys are handed over to private security companies who can then use them to make the decryption tools – a way that’s more foolproof and less prone to change. That method however is flawed as well, because it means that the tools resulted from this particular method can only decrypt ransomware that isn’t actively distributed anymore.

Strengths

Despite its flaws, that cooperation between law enforcement and private parties is what makes No More Ransom both unique and effective. Both Dutch law enforcement and the participating companies tout the cooperation and its success, pointing out the fact that No More Ransom is ‘the only real solution for victims of ransomware’. As it turns out, working together combines the best of both worlds, says John Fokker of the High Tech Crime Unit, the Dutch part of the national police force that focuses on cybercrime. “We’re good at tracking down criminals and investigating cybercrime, and we have the authority to confiscate equipment and keys. However, we lack the skills to use that to make prevention or removal tools. Companies like Kaspersky and Intel can do that perfectly, but they can’t obtain decryption keys on their own. That way both parties complement each other.”

Growing fast

No More Ransom quickly grew more popular, among users but especially within the security industry. Months after launch, the number of ‘partners’ to No More Ransom had grown exponentially from four founding partners to dozens of security firms and also dozens of national police forces. Europol was one of the founding partners . In October of 2016, Interpol joined the initative, making it easier to run investigations in other countries – something that’s becoming increasingly important in the globalized fight of cybercrime.

The number of available decryption tools grows by the day.

In the meantime, hundreds of larger and smaller private companies have become partners of No More Ransom, the total list of active partners now numbering more than 100.

Confusing numbers

There’s some confusion about the numbers No More Ransom puts forth about the number of decrypted computers and the total number of victims helped. In October, 3 months after the initial launch, No More Ransom talked about 2500 computers that had been saved from ransomware. Another 5 months after that, Dutch police claimed that number had risen to no less then 75,000, but during the one year anniversary of the launch that number had suddenly dwindled to 28.000.

Raj Samani, CTO of founding partner McAfee, says this is mostly because there’s no good method of collecting metrics on the number of victims that’s helped. No More Ransom uses data that’s collected by decryption tools made by participating partners, but not all of them collect this type of data, and the ones that do use different metrics. Similarly, it’s impossible to tell how much money is saved using such tools, an equation that’s made even more impossible due to the changing height of ransomware demands and the massively fluctuating value of the bitcoin.

Fighting the Hydra

Despite is success, No More Ransom isn’t the end-all, be-all of ransomware removal. Fighting ransomware has always been like fighting a threeheaded dragon. Everywhere that either law enforcement or security companies manage to take down a form of ransomware by arresting the creators or blocking it for users of AV, new variants pop up just as fast – just think of the recent Pteya and WannaCry attacks. Especially now that criminals know law enforcement is getting more effective in fighting ransomware.

Prevention over removal

No More Ransom might be one of the few true solutions for victims of ransomware, but it’s hardly enough – a problem the founders recognize themselves. The website emphasizes prevention of ransomware maybe more than removal.

Prevention is often better, not just in convenience but also often in costs – especially in businesses. Even if a tool is available to decrypt the ransomware that hit a company, restoring backups is often a costly process that can take days to implement. Loss of business during that time and overhead of staff and equipment can run up significant costs – and that’s with hoping the ransomware doesn’t strike a second time. So, sys-admins should learn the basic prevention against ransomware: patching software, teaching users about phishing, and possibly air-gapping important data. Also, making regular backups is obviously important, but equally important is checking their validity periodically. And companies that have not done this already, should definitely consider creating an information security team and implementing a policy based on a standard such as Security Verified or ISO 27001.

Author: Tijs Hofmans